CVE-2022-1667

Name of the Vulnerable Software and Affected Versions Secheron SEPCOS Single Package relay control and protection software (affected versions not specified)

Description The issue is related to the incorrect implementation of a sequence of actions in the software. It allows a remote attacker to reboot the device by running a JS function or loading a corresponding PHP script. This can be achieved by directly running a JS function to reboot the PLC, for example, from the browser console, or by loading the browser-accessible PHP script.

Recommendations As a temporary workaround, consider disabling the JS function that allows rebooting the device until a patch is available. Restrict access to the PHP script that can reboot the device to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.